{ "info": { "author": "Brian Nuszkowski", "author_email": "brian@bnuz.co", "bugtrack_url": null, "classifiers": [], "description": "aws-mfa: Easily manage your AWS Security Credentials when using Multi-Factor Authentication (MFA)\n=================================================================================================\n\n**aws-mfa** makes it easy to manage your AWS SDK Security Credentials when Multi-Factor Authentication (MFA) is enforced on your AWS account. It automates the process of obtaining temporary credentials from the [AWS Security Token Service](http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html) and updating your [AWS Credentials](https://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and-Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs) file (located at `~/.aws/credentials`). Traditional methods of managing MFA-based credentials requires users to write their own bespoke scripts/wrappers to fetch temporary credentials from STS and often times manually update their AWS credentials file.\n\nThe concept behind **aws-mfa** is that there are 2 types of credentials:\n\n* `long-term` - Your typcial AWS access keys, consisting of an `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`\n\n* `short-term` - A temporary set of credentials that are generated by AWS STS using your `long-term` credentials in combination with your MFA device serial number (either a hardware device serial number or virtual device ARN) and one time token code. Your short term credentials are the credentials that are actively utilized by the AWS SDK in use.\n\n\nIf you haven't yet enabled multi-factor authentication for AWS API access, check out the [AWS article](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) on doing so.\n\n\nInstallation:\n-------------\nOption 1\n```sh\n$ pip install aws-mfa\n```\n\nOption 2\n```sh\n1. Clone this repo\n2. $ python setup.py install\n```\n\nCredentials File Setup\n----------------------\n\nIn a typical AWS credentials file (located at `~/.aws/credentials`), credentials are stored in sections, denoted by a pair of brackets: `[]`. The `[default]` section stores your default credentials. You can store multiple sets of credentials using different profile names. If no profile is specified, the `[default]` section is always used.\n\nBy default long term credential sections are identified by the convention `[-long-term]` and short term credentials are identified by the typical convention: `[]`. The following illustrates how you would configure you credentials file using **aws-mfa** with your default credentials:\n\n```ini\n[default-long-term]\naws_access_key_id = YOUR_LONGTERM_KEY_ID\naws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY\n```\n\nAfter running `aws-mfa`, your credentials file would read:\n\n```ini\n[default-long-term]\naws_access_key_id = YOUR_LONGTERM_KEY_ID\naws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY\n\n\n[default]\naws_access_key_id = \naws_secret_access_key = \naws_security_token = \n```\n\nSimilarly, if you utilize a credentials profile named **development**, your credentials file would look like:\n\n```ini\n[development-long-term]\naws_access_key_id = YOUR_LONGTERM_KEY_ID\naws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY\n```\n\n\nAfter running `aws-mfa`, your credentials file would read:\n\n```ini\n[development-long-term]\naws_access_key_id = YOUR_LONGTERM_KEY_ID\naws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY\n\n[development]\naws_access_key_id = \naws_secret_access_key = \naws_security_token = \n```\n\nThe default naming convention for the credential section can be overriden by using the `--long-term-suffix` and\n`--short-term-suffix` command line arguments. For example, in a multi account scenario you can have one AWS account\nthat manages the IAM users for your organization and have other AWS accounts for development, staging and production\nenvironments.\n\nAfter running `aws-mfa` once for each environment with a different value for `--short-term-suffix`, your credentials\nfile would read:\n\n```ini\n[myorganization-long-term]\naws_access_key_id = YOUR_LONGTERM_KEY_ID\naws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY\n\n[myorganization-development]\naws_access_key_id = \naws_secret_access_key = \naws_security_token = \n\n[myorganization-staging]\naws_access_key_id = \naws_secret_access_key = \naws_security_token = \n\n[myorganization-production]\naws_access_key_id = \naws_secret_access_key = \naws_security_token = \n```\n\nThis allows you to access multiple environments without the need to run `aws-mfa` each time you want to switch\nenvironments.\n\nIf you don't like the a long term suffix, you can omit it by passing the value `none` for the `--long-term-suffix`\ncommand line argument. After running ``aws-mfa`` once for each environment with a different value for\n`--short-term-suffix`, your credentials file would read:\n\n```ini\n[myorganization]\naws_access_key_id = YOUR_LONGTERM_KEY_ID\naws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY\n\n[myorganization-development]\naws_access_key_id = \naws_secret_access_key = \naws_security_token = \n\n[myorganization-staging]\naws_access_key_id = \naws_secret_access_key = \naws_security_token = \n\n[myorganization-production]\naws_access_key_id = \naws_secret_access_key = \naws_security_token = \n```\n\nUsage\n-----\n\n```\n--device arn:aws:iam::123456788990:mfa/dudeman\n The MFA Device ARN. This value can also be provided\n via the environment variable 'MFA_DEVICE' or the\n ~/.aws/credentials variable 'aws_mfa_device'.\n--duration DURATION The duration, in seconds, that the temporary\n credentials should remain valid. Minimum value: 900\n (15 minutes). Maximum: 129600 (36 hours). Defaults to\n 43200 (12 hours), or 3600 (one hour) when using\n '--assume-role'. This value can also be provided via\n the environment variable 'MFA_STS_DURATION'.\n--profile PROFILE If using profiles, specify the name here. The default\n profile name is 'default'. The value can also be\n provided via the environment variable 'AWS_PROFILE'.\n--long-term-suffix LONG_TERM_SUFFIX\n To identify the long term credential section by\n [-LONG_TERM_SUFFIX]. Use 'none' to\n identify the long term credential section by\n []. Omit to identify the long term \n credential section by [-long-term].\n--short-term-suffix SHORT_TERM_SUFFIX\n To identify the short term credential section by\n [-SHORT_TERM_SUFFIX]. Omit or use 'none'\n to identify the short term credential section by\n [].\n--assume-role arn:aws:iam::123456788990:role/RoleName\n The ARN of the AWS IAM Role you would like to assume,\n if specified. This value can also be provided via the\n environment variable 'MFA_ASSUME_ROLE'\n--role-session-name ROLE_SESSION_NAME\n Friendly session name required when using --assume-\n role. By default, this is your local username.\n```\n\n**Argument precedence**: Command line arguments take precedence over environment variables.\n\nUsage Example\n-------------\n\nRun **aws-mfa** *before* running any of your scripts that use any AWS SDK.\n\n\nUsing command line arguments:\n\n```sh\n$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman\nINFO - Using profile: default\nINFO - Your credentials have expired, renewing.\nEnter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456\nINFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00\n```\n\nUsing environment variables:\n\n```sh\nexport MFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman\n$> aws-mfa --duration 1800\nINFO - Using profile: default\nINFO - Your credentials have expired, renewing.\nEnter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456\nINFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00\n```\n\n```sh\nexport MFA_DEVICE=arn:aws:iam::123456788990:mfa/dudeman\nexport MFA_STS_DURATION=1800\n$> aws-mfa\nINFO - Using profile: default\nINFO - Your credentials have expired, renewing.\nEnter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456\nINFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:07:09+00:00\n```\n\nOutput of running **aws-mfa** while credentials are still valid:\n\n```sh\n$> aws-mfa\nINFO - Using profile: default\nINFO - Your credentials are still valid for 1541.791134 seconds they will expire at 2015-12-21 23:07:09\n```\n\nUsing a profile: (profiles allow you to reference different sets of credentials, perhaps for different users or different regions)\n\n```sh\n$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --profile development\nINFO - Using profile: development\nEnter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):666666\nINFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:09:04+00:00\n```\n\nUsing a profile that is set via the environment variable `AWS_PROFILE`:\n\n```sh\n$> export AWS_PROFILE=development\n$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman\nINFO - Using profile: development\nEnter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):666666\nINFO - Success! Your credentials will expire in 1800 seconds at: 2015-12-21 23:09:04+00:00\n```\n\nAssuming a role:\n\n```sh\n$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --assume-role arn:aws:iam::123456788990:role/some-role --role-session-name some-role-session\nINFO - Validating credentials for profile: default with assumed role arn:aws:iam::123456788990:role/some-role\nINFO - Obtaining credentials for a new role or profile.\nEnter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456\nINFO - Success! Your credentials will expire in 1800 seconds at: 2016-10-24 18:58:17+00:00\n```\n\nAssuming a role: Assume a role specified in your `long-term` configuration\n\n```ini\n[default-long-term]\naws_access_key_id = YOUR_LONGTERM_KEY_ID\naws_secret_access_key = YOUR_LONGTERM_ACCESS_KEY\nassume_role = arn:aws:iam::123456788990:role/some-role\n```\n\n```sh\n$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --role-session-name some-role-session\n```\n\nAssuming a role using a profile:\n\n```sh\n$> aws-mfa --duration 1800 --device arn:aws:iam::123456788990:mfa/dudeman --profile development --assume-role arn:aws:iam::123456788990:role/some-role --role-session-name some-role-session\nINFO - Validating credentials for profile: development with assumed role arn:aws:iam::123456788990:role/some-role\nINFO - Obtaining credentials for a new role or profile.\nEnter AWS MFA code for device [arn:aws:iam::123456788990:mfa/dudeman] (renewing for 1800 seconds):123456\nINFO - Success! Your credentials will expire in 1800 seconds at: 2016-10-24 18:58:17+00:00\n```\n\nAssuming a role in multiple accounts and be able to work with both accounts simultaneously (i.e. production an staging):\n\n```sh\n$> aws-mfa \u2014profile myorganization --assume-role arn:aws:iam::222222222222:role/Administrator --short-term-suffix production --long-term-suffix none --role-session-name production\nINFO - Validating credentials for profile: myorganization-production with assumed role arn:aws:iam::222222222222:role/Administrator\nINFO - Your credentials have expired, renewing.\nEnter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me] (renewing for 3600 seconds):123456\nINFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:16:43+00:00\n\n$> aws-mfa \u2014profile myorganization --assume-role arn:aws:iam::333333333333:role/Administrator --short-term-suffix staging --long-term-suffix none --role-session-name staging \nINFO - Validating credentials for profile: myorganization-staging with assumed role arn:aws:iam::333333333333:role/Administrator\nINFO - Your credentials have expired, renewing.\nEnter AWS MFA code for device [arn:aws:iam::111111111111:mfa/me] (renewing for 3600 seconds):123456\nINFO - Success! Your credentials will expire in 3600 seconds at: 2017-07-10 07:16:44+00:00\n\n$> aws s3 list-objects \u2014bucket my-production-bucket \u2014profile myorganization-production\n\n$> aws s3 list-objects \u2014bucket my-staging-bucket \u2014profile myorganization-staging\n```\n\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/broamski/aws-mfa", "keywords": "", "license": "MIT", "maintainer": "", "maintainer_email": "", "name": "aws-mfa", "package_url": "https://pypi.org/project/aws-mfa/", "platform": "", "project_url": "https://pypi.org/project/aws-mfa/", "project_urls": { "Homepage": "https://github.com/broamski/aws-mfa" }, "release_url": "https://pypi.org/project/aws-mfa/0.0.12/", "requires_dist": [ "boto3" ], "requires_python": "", "summary": "Manage AWS MFA Security Credentials", "version": "0.0.12" }, "last_serial": 3821295, "releases": { "0.0.1": [], "0.0.10": [ { "comment_text": "", "digests": { "md5": "de61d2bd255b476882024810a1f48d7e", "sha256": "16f41dc54c9f97982536800eb4c5dbb0933a00f631f84637170e2427bf720f5c" }, "downloads": -1, "filename": "aws-mfa-0.0.10.tar.gz", "has_sig": false, "md5_digest": "de61d2bd255b476882024810a1f48d7e", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6720, "upload_time": "2017-10-16T13:51:59", "url": "https://files.pythonhosted.org/packages/83/88/5c71bbd7b2a29548488e38a2e48023d62f06a264254c2b127414b9f3d000/aws-mfa-0.0.10.tar.gz" } ], "0.0.11": [ { "comment_text": "", "digests": { "md5": "10b70935fbd3e8bcd7cb79996a85e9fb", "sha256": "aa5c2c16af346c62fb700344815210ec75e89a2a4dd3327799cad1badc2d0dff" }, "downloads": -1, "filename": "aws_mfa-0.0.11-py2.7.egg", "has_sig": false, "md5_digest": "10b70935fbd3e8bcd7cb79996a85e9fb", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 15064, "upload_time": "2018-04-28T17:41:03", "url": "https://files.pythonhosted.org/packages/46/af/3741cc6103362d54c508504f542a2fc389f7ec97afde193ba5b1ada10df9/aws_mfa-0.0.11-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "f331fe1ee607213eece1c778d85bcefa", "sha256": "5448773550254339bceef1ae739a5626739817fcb82234d4e5c4e2e762aa511d" }, "downloads": -1, "filename": "aws_mfa-0.0.11-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "f331fe1ee607213eece1c778d85bcefa", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 13049, "upload_time": "2018-04-28T17:41:01", "url": "https://files.pythonhosted.org/packages/4a/ae/42c24b0dec7620327a139368566b71b036b581208ec13729b7b68441f6ba/aws_mfa-0.0.11-py2.py3-none-any.whl" } ], "0.0.12": [ { "comment_text": "", "digests": { "md5": "561af4f92793ffc35fb4a76cabb76528", "sha256": "aef772e38734f1a50e618a2b19a8a69e5f0ced9cbeaf3be5132e9e1ba04fa294" }, "downloads": -1, "filename": "aws_mfa-0.0.12-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "561af4f92793ffc35fb4a76cabb76528", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 13047, "upload_time": "2018-04-30T16:23:14", "url": "https://files.pythonhosted.org/packages/14/87/5c0c3368ad0412870a90a03fa8ee8f1f9c500d71dff121636fb90561b53e/aws_mfa-0.0.12-py2.py3-none-any.whl" } ], "0.0.2": [ { "comment_text": "", "digests": { "md5": "58f32df5840f635a6dbf2353078859d8", "sha256": "bf187c4fc92ee7727b1db7e14cec713270ccb772686615e55862852958723455" }, "downloads": -1, "filename": "aws_mfa-0.0.2-cp27-none-macosx_10_11_intel.whl", "has_sig": false, "md5_digest": "58f32df5840f635a6dbf2353078859d8", "packagetype": "bdist_wheel", "python_version": "2.7", "requires_python": null, "size": 4129, "upload_time": "2015-12-22T00:02:58", "url": "https://files.pythonhosted.org/packages/47/9a/7e89f5828e64c269dd6dace9e8dae85891adaa201e9f0ec2e2afa077a0d9/aws_mfa-0.0.2-cp27-none-macosx_10_11_intel.whl" }, { "comment_text": "", "digests": { "md5": "e12e7f70c4888a7b03f9149163bf288c", "sha256": "9dcd34d366d4373c6b406cb053cfe804f22d54b90c5f7af353f1de8fe943d21c" }, "downloads": -1, "filename": "aws-mfa-0.0.2.tar.gz", "has_sig": false, "md5_digest": "e12e7f70c4888a7b03f9149163bf288c", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 4648, "upload_time": "2015-12-22T00:02:37", "url": "https://files.pythonhosted.org/packages/de/95/8220adacf6276f7b770fcc789fe17053c92a87cf1b4833e8820c1e80825e/aws-mfa-0.0.2.tar.gz" } ], "0.0.3": [ { "comment_text": "", "digests": { "md5": "cbd2f9246b92a4cde3dd91a89e342036", "sha256": "41d64c497d93b38a3b8a8118b559b7c08c3c521712631c4108056a40c7df57b6" }, "downloads": -1, "filename": "aws-mfa-0.0.3.tar.gz", "has_sig": false, "md5_digest": "cbd2f9246b92a4cde3dd91a89e342036", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 4615, "upload_time": "2015-12-22T00:24:43", "url": "https://files.pythonhosted.org/packages/d3/d5/8653ec6dc59d5210e82fbc0de2f37bf66d27e0e67022587303dd45ebd53b/aws-mfa-0.0.3.tar.gz" } ], "0.0.4": [ { "comment_text": "", "digests": { "md5": "7de044a2253e375d9903fad8b1e87227", "sha256": "11dcac9d69b8e01436308aebc5546ef770e07887ec6ee5b3a32987428f5bd5c4" }, "downloads": -1, "filename": "aws-mfa-0.0.4.tar.gz", "has_sig": false, "md5_digest": "7de044a2253e375d9903fad8b1e87227", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 4622, "upload_time": "2015-12-22T00:28:27", "url": "https://files.pythonhosted.org/packages/04/b4/17a6383e4e45395f3d370223efa9d75e3093ab74d95506809bf40239307b/aws-mfa-0.0.4.tar.gz" } ], "0.0.5": [ { "comment_text": "", "digests": { "md5": "44633f5cf153a4009e9e7cb85dea9b83", "sha256": "d349605acd04bb73a8f5f233be75bf2744e835ac4af3287321e774bccd721cfa" }, "downloads": -1, "filename": "aws-mfa-0.0.5.tar.gz", "has_sig": false, "md5_digest": "44633f5cf153a4009e9e7cb85dea9b83", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5106, "upload_time": "2016-01-18T17:40:31", "url": "https://files.pythonhosted.org/packages/67/45/58764fdb9803fba67650b2c731a08f40e305d3bcf9bcd01d9868d00c221b/aws-mfa-0.0.5.tar.gz" } ], "0.0.6": [ { "comment_text": "", "digests": { "md5": "4d0e735562b21556e86c2b58e5d4db10", "sha256": "d5ed16b64c82259c3159c789a886774e5babad094715a629c74ed274b34ed3c5" }, "downloads": -1, "filename": "aws-mfa-0.0.6.tar.gz", "has_sig": false, "md5_digest": "4d0e735562b21556e86c2b58e5d4db10", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5106, "upload_time": "2016-07-23T03:55:12", "url": "https://files.pythonhosted.org/packages/a0/e1/9a323d543c88156c86ded3901b8fb6f42de37fc49a3bb8018f729964b493/aws-mfa-0.0.6.tar.gz" } ], "0.0.7": [ { "comment_text": "", "digests": { "md5": "d129e53fd07c639290b719479daee6fa", "sha256": "3f21e23c3187b181d7a36a4414e0e9d0e1114a5e39c592fb885a58e1abff0d0b" }, "downloads": -1, "filename": "aws-mfa-0.0.7.tar.gz", "has_sig": false, "md5_digest": "d129e53fd07c639290b719479daee6fa", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5290, "upload_time": "2016-11-02T14:50:01", "url": "https://files.pythonhosted.org/packages/f1/c0/0f7e5c9d61f7a0a4213e943f3d186d4cc23b964950fd600197f74caf0132/aws-mfa-0.0.7.tar.gz" } ], "0.0.8": [ { "comment_text": "", "digests": { "md5": "65a3e23eb0ca5029cd72b948c5a1af21", "sha256": "46e7e5c7e72300ab8d071ce10dbf89875374120ff77ee074b56f901b4df228dd" }, "downloads": -1, "filename": "aws-mfa-0.0.8.tar.gz", "has_sig": false, "md5_digest": "65a3e23eb0ca5029cd72b948c5a1af21", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5695, "upload_time": "2016-12-13T05:06:13", "url": "https://files.pythonhosted.org/packages/9b/5c/4ea7e0cf9bde32c0d56301d515593cad3d3d522b51e5a712dd880f335410/aws-mfa-0.0.8.tar.gz" } ], "0.0.9": [ { "comment_text": "", "digests": { "md5": "9683b8a1e5ebc65f14a72d79eaef09c8", "sha256": "1ca030682425906973aa0218503344a4339a8bd2d2bc4f8651481ee450aff0ef" }, "downloads": -1, "filename": "aws-mfa-0.0.9.tar.gz", "has_sig": false, "md5_digest": "9683b8a1e5ebc65f14a72d79eaef09c8", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6581, "upload_time": "2017-09-23T02:40:49", "url": "https://files.pythonhosted.org/packages/cf/d3/83ef5fc66668582d3171d2269b134f334bfed01b4533a6db0f158c6fda42/aws-mfa-0.0.9.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "561af4f92793ffc35fb4a76cabb76528", "sha256": "aef772e38734f1a50e618a2b19a8a69e5f0ced9cbeaf3be5132e9e1ba04fa294" }, "downloads": -1, "filename": "aws_mfa-0.0.12-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "561af4f92793ffc35fb4a76cabb76528", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 13047, "upload_time": "2018-04-30T16:23:14", "url": "https://files.pythonhosted.org/packages/14/87/5c0c3368ad0412870a90a03fa8ee8f1f9c500d71dff121636fb90561b53e/aws_mfa-0.0.12-py2.py3-none-any.whl" } ] }